When upgrading from an older version of Vault to a newer one, you may encounter an issue where you are unable to start Vault, and you're receiving the following type of error in you operational logs.
2022-12-05T13:52:35.530Z [ERROR] core: mount entry associated with pending removal builtin: name=app-id path=app-id/ status="pending removal" type=auth 2022-12-05T13:52:35.530Z [ERROR] core: shutting down core: error="could not mount \"app-id\": mount entry associated with pending removal builtin"
This is an error that can occur when you have soon-to-be removed features enabled when upgrading your version of Vault.
You are receiving this error because of a deprecated feature in your Vault. There are multiple phases of deprecation which you can read about here. The four phases of deprecation are:
Pending Removal, and
app-id auth method is in the
Pending Removal phase.
Pending Removal:This status reflects a feature which has been officially deprecated in this release of Vault. This is the first phase in the process that fundamentally alters the behavior of Vault. The effects are two-fold:
- After an upgrade, any existing Pending Removal feature (builtin auth/secrets plugins enabled via CLI or API prior to upgrade) will log Error-level messages to the Vault log and cause an immediate shutdown of the Vault core.
- Any new Pending Removal will fail and log Error-level messages to the Vault log and CLI/API.
1.12.0, there was a new environment variable introduced called VAULT_ALLOW_PENDING_REMOVAL_MOUNTS. This environment variable allows Vault to be started with builtin engines which have the
Pending Removal deprecation state. This is a temporary stopgap in place in order to perform an upgrade and disable these engines. Once these engines are marked Removed (in the next major release of Vault), the environment variable will no longer work and a downgrade must be performed in order to remove the offending engines. This environment variable effectively allows all
Pending Removal features to be treated as
Once you apply this environment variable, you'll then be able to start Vault. You must then work to migrate the deprecated feature to an alternative.